Re: [QUERY]: Adding support for a platform

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

From: Jessica Clarke <jrtc27@jrtc27.com>
To: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>,
	binutils@sourceware.org,
	linux-riscv <linux-riscv@lists.infradead.org>
Subject: Re: [QUERY]: Adding support for a platform
Date: Tue, 29 Nov 2022 20:12:25 +0000	[thread overview]
Message-ID: <4386F399-2862-4161-B303-8080EBEEA374@jrtc27.com> (raw)
In-Reply-To: <CA+V-a8vT3AjnU1-s0k7ff0Y7WLofpHYnJPF+mKVnUspsrPvQtw@mail.gmail.com>

On 29 Nov 2022, at 19:28, Lad, Prabhakar <prabhakar.csengg@gmail.com> wrote:
> 
> Hi Palmer,
> 
> Oops I should have included linux-riscv to the CC list here (doing it now)
> 
> On Tue, Nov 29, 2022 at 7:20 PM Palmer Dabbelt <palmer@dabbelt.com> wrote:
>> 
>> On Tue, 29 Nov 2022 11:16:29 PST (-0800), binutils@sourceware.org wrote:
>>> Hi All,
>>> 
>>> If this is not the right place to ask this question please let me know.
>>> 
>>> So we have a RISCV platform (Renesas RZ/Five) for which we need to
>>> adjust the TEXT_START_ADDR. So below are my queries:
>>> * What is the procedure for upstreaming?
>>> * Are patches accepted for individual platforms (for adjusting TEXT_START_ADDR)?
>> 
>> Is this still related to that bug with the static binaries you'd
>> mentioned before?  I think we'd really need to figure out the root cause
>> before we can make a reasoned decision here, my guess would be that
>> changing TEXT_START_ADDR just works around the real bug.
>> 
> Below is the root cause and the solution:
> 
> TEXT_START_ADDR is the start of the text segment of an application.
> This is being set to 0x10000 for RISCV platforms.
> 
> So when an application is compiled with the static flag the load would
> start from 0x10000 - xyz (depending on size of the application)
> 
> Entry point 0x101c0
> There are 5 program headers, starting at offset 64Program Headers:
>  Type           Offset             VirtAddr           PhysAddr
>                 FileSiz            MemSiz              Flags  Align
>  LOAD           0x0000000000000000 0x0000000000010000 0x0000000000010000
>                 0x0000000000059b48 0x0000000000059b48  R E    0x1000
>  LOAD           0x0000000000059b60 0x000000000006ab60 0x000000000006ab60
>                 0x0000000000001f68 0x0000000000003528  RW     0x1000
> 
> So for the above application which is compiled statically we can see
> the entry point is 0x101c0 and load 0x0000000000010000.
> 
> Andes AX45MP cores have local memory ILM and DLM that are mapped in
> the region H’0_0003_0000 - H’0_0004_FFFF on the RZ/Five SoC. When the
> virtual address falls in this range the MMU doesn't trigger a page
> fault and assumes the virtual address as physical address and hence
> the application fails to run (panics somewhere).
> 
> So to avoid this issue we set the TEXT_START_ADDR to 0x50000 so that
> the virtual address of any statically compiled application does not
> fall in the range of H’0_0003_0000 - H’0_0004_FFFF.
> 
> Elf file type is EXEC (Executable file)
> Entry point 0x504e4
> There are 5 program headers, starting at offset 64
> 
> Program Headers:
>  Type           Offset             VirtAddr           PhysAddr
>                 FileSiz            MemSiz              Flags  Align
>  LOAD           0x0000000000000000 0x0000000000050000 0x0000000000050000
>                 0x0000000000057dc8 0x0000000000057dc8  R E    0x1000
>  LOAD           0x00000000000585b8 0x00000000000a95b8 0x00000000000a95b8
>                 0x0000000000004ee0 0x00000000000064b0  RW     0x1000
>  NOTE           0x0000000000000158 0x0000000000050158 0x0000000000050158
>                 0x0000000000000044 0x0000000000000044  R      0x4
> 
> So now with the fix for statically compiled applications we can see
> its offsetted and entry point is 0x504e4 and load is at
> 0x0000000000050000. So with this we are for sure the MMU will always
> trigger a page fault.

Well that’s just a blatant violation of the spec. What happens if a
malicious (or buggy) userspace binary goes and accesses unmapped memory
in that range? Does it actually get access to this ILM/DLM? If so
that’s a gaping side channel.

Jess

next prev parent reply	other threads:[~2022-11-29 20:12 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-29 19:16 Lad, Prabhakar
2022-11-29 19:20 ` Palmer Dabbelt
2022-11-29 19:28   ` Lad, Prabhakar
2022-11-29 19:35     ` Palmer Dabbelt
2022-11-29 21:33       ` Lad, Prabhakar
2022-11-29 20:12     ` Jessica Clarke [this message]
2022-11-29 20:21       ` Andrew Waterman
2022-11-29 20:57         ` Palmer Dabbelt
2022-11-29 21:40           ` Lad, Prabhakar
2022-11-29 21:54             ` Palmer Dabbelt
2022-12-12 12:43               ` Lad, Prabhakar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4386F399-2862-4161-B303-8080EBEEA374@jrtc27.com \
    --to=jrtc27@jrtc27.com \
    --cc=binutils@sourceware.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=palmer@dabbelt.com \
    --cc=prabhakar.csengg@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).